CME Structure and Configuration

These sections explain the primary concepts of CME configuration.

CME Directories and Files

About CME Service Commands

After a successful installation, CME runs the 'cme' service.

Function

Run this Command

Stop the service

service cme stop

Start the service

service cme start

Restart the service

service cme restart

Test the service

service cme test

Get the status of the service

service cme status

Locating the Configuration Files

CME's primary configuration file is autoprovision.json, and CME maintains backup files for it:

  • autoprovision.json.bak - when there is a configuration change.

  • autoprovision.json.bak_schema - when CME schema version is updated - See Schema section.

To find the CME configuration files, use one of these directories:

The configuration files are synchronized between the primary and secondary servers in a Management High Availability environment.

The CME Logs

The CME log files are:

  • Primary CME Service log: /var/log/CPcme/cme.log*

  • CME command line menu log: /var/log/CPcme/cme_menu.log

More logs used by Check Point Support:

  • rest_infra.log

  • cme_api.log

  • gunicorn_server.log

  • diagnostics.log

See CME Log Collector.

CME Authentication

This section describes the necessary steps for CME authentication with different public cloud platforms.

AWS

Refer to sk130372 > 3. Creating an AWS IAM User and IAM Role section.

AWS Controller (account) connects to these URLs:

  • https://ec2.<region_code>.amazonaws.com

  • https://elasticloadbalancing.<region_code>.amazonaws.com

For example, https://ec2.ap-northeast-2.amazonaws.com/.

Azure

For authentication with Azure, you can use Microsoft Entra ID (formerly Azure AD) or Azure Identity and Access Management (IAM).

Option 1: Create a Microsoft Entra ID and Service Principal

With the Microsoft Entra ID and Service Principal, the Check Point Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. monitors the creation and status of the VMSS, so it can complete the provision of these Security Gateways.

Note - Grant the Service Principal at least "Managed Application Contributor", "Storage Account Contributor", "Network Contributor", and "Virtual Machine Contributor" permissions to the Azure subscription.

For any extra permissions needed, see the official Microsoft documentation for guidance.

  1. Connect to portal.azure.com.

  2. Click Microsoft Entra ID.

  3. Click +Add > App registration. The Register an application screen opens

  4. Create new registration:

    1. Select a meaningful Name.

    2. Supported account types - Select Accounts in this organizational directory only (Single tenant).

    3. Redirect URL - Select Web, and type https://localhost/vmss-name - instead of vmss-name. It can be any name.

    4. Click Register. The new application is created.

    5. In the new application screen, on the left menu pane, click Manage > Certificates and secrets.

    6. In the Client Secrets tab, click + New Client Secret.

    7. Add the duration for the key.

    8. Click Add.

    9. Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values to use in the "Configure the Check Point Security Management Server" step.

  • Application ID

    client_id

  • Key value

    client_secret

  • Tenant ID

    directory (tenant) ID

Permissions:

Give the Microsoft Entra ID application a minimum role of Reader to the VMSS and the VNET as explained here.

Option 2: Configure Azure IAM on the Security Management Server

To enable the system-assigned managed identity for the Security Management Server Virtual Machine, do these steps:

  1. Connect to portal.azure.com.

  2. Go to the desired VM and open its settings.

  3. In the left pane, go to "Security" > "Identity".

  4. Under “System assigned”, switch "Status" to "On".

  5. Save the changes.

Permissions:

Assign a managed identity access to the Security Management Server with a minimum role of Reader to the VMSS and the VNET as explained here.

Azure Controller (account) connects to these URLs:

  • AzureCloud

    • https://core.windows.net

    • https://management.azure.com

    • https://login.microsoftonline.com

  • AzureChinaCloud

    • https://login.chinacloudapi.cn

    • https://management.chinacloudapi.cn

    • https://core.chinacloudapi.cn

  • AzureUSGovernment

    • https://login.microsoftonline.us

    • https://management.usgovcloudapi.net

    • https://core.usgovcloudapi.net

GCP

Create a Google Cloud Platform (GCP) Service Account

The Check Point Security Management Server uses the GCP Service account to monitor the creation and status of the autoscaling Managed Instance Group. This lets the Security Management Server complete provisioning of these Security Gateways.

To create a GCP service account:

  1. Go to https://cloud.google.com/iam/docs/creating-managing-service-accounts.

    Use these parameters:

    Name

    check-point-autoprovision

    Role

    Compute Engine \ Compute Viewer

  2. Click Create Key > JSON (as the key type). A JSON file is downloaded to your computer.

    Note - This JSON file is later used as the credentials file in CME Structure and Configuration.

Permissions:

"Compute viewer"

GCP Controller (account) connects to this URL:

https://www.googleapis.com/

OCI

To add user permissions:

  1. Create a group with required permissions:

    1. Go to Identity & Security > Identity > Domains.

    2. Select the user domain.

    3. On the left pane, click Groups.

    4. Click Create Group and follow the steps to create a group with autoscale permissions.

    5. After creating the group, go to Identity & Security > Identity > Policies.

    6. Create a new policy with these permissions (replace <domain>, <group_name>, and <compartment_name> with corresponding names):

      Allow group <domain>/<group_name> to manage instance-family in compartment <compartment_name>

      Allow group <domain>/<group_name> to inspect vnic-attachments in compartment <compartment_name>

      Allow group <domain>/<group_name> to manage virtual-network-family in compartment <compartment_name>

      Allow group <domain>/<group_name> to inspect instance-pools in compartment <compartment_name>

  2. Assign a user to the group:

    1. Go to Identity & Security > Identity > Domains.

    2. Select the user domain.

    3. In the Identity domain menu at the left, click Groups.

    4. Select the group with autoscale permissions (created in Step 1).

    5. Click Assign user to groups.

    6. Select the user from the list and click Add.

To generate an API signing key pair:

Refer to the OCI documentation for the most up-to-date instructions.

After you have generated the API signing key pair and downloaded the private API key, write down these values (you will need them later for the Security Management Server configuration step):

Configuring CME in SmartConsole (recommended)

CME is integrated into SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., Web SmartConsole, and Smart-1 Cloud starting from:

This integration facilitates cloud-native connectivity between Check PointCloudGuard Network solutions and various cloud platforms.

To configure CME controllers (accounts) and create configuration templates with SmartConsole, go to Manage & Settings > CloudGuard Network.

Add an account

  1. To add the first account for the cloud provider, on the corresponding cloud provider tile, click Add account.

    Note - To add more accounts, click the Edit button at the right, above the cloud provider tiles. The CME Overview page opens. Then click the icon above the Accounts table.

    The CME Account window opens.

  2. Give the account a name.

  3. In the Platform drop-down list, select AWS, GCP, or Azure.

  4. Enter the parameters.

  5. Click OK to save the changes.

Parameters for AWS

Parameter

Description

Access Key ID

AWS Access Key ID. This parameter is mandatory unless you select Role Authentication (IAM).

Secret Access Key

AWS Secret Key. This parameter is mandatory unless you select Role Authentication (IAM).

Role Authentication (IAM)

This option is available only in on-premises Security Management Server deployments. It is not available in Smart-1 Cloud.

Regions

The AWS regions in which the Security Gateways are being deployed.

STS Role

The Amazon Resource Name (ARN) of an IAM role to assume.

STS External ID

An optional STS External ID to use when assuming an IAM role in the account.

Scan Gateway Load Balancer subnets

Enable to scan Gateway Load Balancer subnets.

Synchronize VPN

Enable to synchronize VPN.

Sub Accounts

Add new sub accounts or configure properties of existing sub accounts. The sub-account name must be unique.

Enter STS Role or STS External ID.

Parameters for Azure

Parameter

Description

Application ID

The service principal’s application ID in UUID format.

Client Secret

The service principal's client secret value.

Directory ID

The service principal's Directory ID in UUID format.
Subscription ID

The subscription ID where the VMSS resides in UUID format.

Azure Environment

Select the environment in the drop-down list. The default value is "Azure Cloud".

Parameters for GCP

Parameter

Description

Service Account Key Authentication

Upload a public service account key file in JSON format.

Edit an account

  1. To edit an account, click the Edit button at the right, above the cloud provider tiles.

    The CME Overview window opens.

  2. In the Accounts table, select the account you want to edit and click the "pencil" icon in the toolbar above the table.

    The CME Account window opens.

  3. Edit the parameters.

  4. Click OK to save the changes.

Add a Security Gateway configuration template

  1. To add the first Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. configuration template to the cloud provider account, on the corresponding cloud provider tile, click Add template.

    Note - To add more templates, click the Edit button at the right, above the cloud provider tiles. The CME Overview page opens. Then click the icon above the Gateway Templates table.

    The CME Template window opens.

  2. Give the Security Gateway configuration template a name.

  3. In the Gateway Settings section, in the Account drop-down list, select the applicable Account.

  4. Select the Security Gateway version.

  5. Enter a one-time password.

  6. Confirm the one-time password.

  7. On the Network Security and Threat Prevention tabs, select the checkboxes for the blades you want to enable on the Security Gateway.

  8. In the CME Attributes section, select the policy to install on the Security Gateway.

    Note - To add support for AWS Transit Gateways to the AWS account, configure the below parameters in the CME Attributes section.

    Parameters for AWS Transit Gateway

    Parameter

    Description

    VPN Domain

    A VPN Domain.

    VPN Community

    A VPN Star community where the VPN Gateway is the center.

    TGW Static Routes

    Enter network addresses (CIDR) to create a static route on each Gateway of the Transit Gateway auto-scaling group.

    TGW Static Spokes

    Spoke CIDR is learned from the TGW over BGP and is re-advertised by the Gateways of the TGW auto-scaling group to the AWS TGW.

    For more information on AWS Transit Gateway, refer to CloudGuard Network for AWS Transit Gateway Deployment Guide.

    Note - To add IPv6 support to the Azure account, select the IPv6 checkbox in the CME Attributes section.

  9. Provide the repository script name and parameters if necessary.

  10. In the Logs section, add log servers.

  11. In the NAT section, select which settings to use for communication with the Security Management Server or log servers when they are behind NAT or in the public cloud.

    Note - This section is enabled only for the R82 version of Security Gateway.

  12. Click OK to save the changes.

Edit a Security Gateway configuration template

  1. To edit a Security Gateway configuration template, click the Edit button at the right, above the cloud provider tiles.

    The CME Overview window opens.

  2. In the Accounts table, select the account which templates you want to edit.

  3. In the Gateway Templates table, select the template you want to edit and click the "pencil" icon in the toolbar above the table.

    The CME Template window opens.

  4. Edit the parameters.

  5. Click OK to save the changes.

Advanced settings

To open the Advanced Settings window, click the Advanced link at the right, above the cloud provider tiles. In this section, you can:

  • Change the Security Management Server name.

  • Change the Delay Cycle value (the waiting time after each poll cycle).

  • Download logs with information about CME operations and API calls.

Configuring CME using CME Management API (recommended)

We recommend using CME Management API to configure CME.

CME API Documentation:

Prerequisites:

  • CME Take 139 or higher installed on the Security Management Server.

  • Management API version 1.8 or higher installed on the Security Management Server (see the Check Point Management API Reference).

Configuring Delay using CME API

CME API uses a "delay_cycle" parameter to set the sleep time (in seconds) between CME iterations.

The default "delay_cycle" value is 30 seconds.

To see the current "delay_cycle" value with CME API:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/generalConfiguration/delayCycle

Response example:

{

 "result": {

  "delay_cycle": 30

  },

 "status-code": 200

}

To set the "delay_cycle" value with CME API:

Send a PUT request:

PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/generalConfiguration/delayCycle

Request body parameters:

Object

Description

delay_cycle

Time (in seconds) to wait after each poll cycle.

Example:

PUT request:

PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/generalConfiguration/delayCycle

 

Body:

{

    "delay_cycle": 60

}

Configuring Management using CME API

To see the current Management configuration with CME API:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/management

Response example:

{

 "result": {

  "custom_script": "/opt/CPsuite-R82/fw1/cme/my-script.sh",

  "host": "localhost",

  "name": "MGMT",

  "domain": "myDomain"

  },

 "status-code": 200

}

To edit the Management configuration with CME API:

Send a PUT request:

PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/management

Request body parameters:

Object

Description

name

The name of the management server.

custom_script

The name of the script which is located at $FWDIR/conf/cme.

domain

The management's domain name in the MDS environment.

Example:

PUT request:

PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/management

 

Body:

{

    "name": "myMgmt",

    "custom_script": "my-script.sh",

    "domain": "myDomain"

}

Configuring Accounts (CME Controllers) with CME API

To connect to your cloud account and automatically provision Security Gateways deployed in the account, the Security Management Server needs cloud-specific information, including authorization settings.

To see all current accounts (controllers) used by the Security Management Server connected to the cloud environments:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts

Response example:

{

 "result": [

  {

    "name": "myAzureAccount",

    "platform": "Azure",

    "gwConfiguration": [

      "myGwConfiguration",

      "myGWConfiguration-2"

    ],

    "subscription": "subscription",

    "directory_id": "directory_id",

    "application_id": "application_id",

    "client_secret": "__protected__autoprovision/client_secret",

    "deletion_tolerance": 3,

  },

  {

    "name": "myAwsAccount",

    "platform": "AWS",

    "gwConfiguration": [

      "myGwConfiguration",

      "myGWConfiguration-2"

    ],

    "regions": [

      "Region-1",

      "Region-2"

    ],

    "credentials_file": "IAM",

    "deletion_tolerance": 0,

  }

 ],

 "status-code": 200

}

To see details of a specific account (controller) used by the Security Management Server connected to the cloud environments:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/accountName

Response example:

{

 "result": [

  {

    "name": "myAzureAccount",

    "platform": "Azure",

    "gwConfiguration": [

      "myGwConfiguration",

      "myGWConfiguration-2"

    ],

    "subscription": "subscription",

    "directory_id": "directory_id",

    "application_id": "application_id",

    "client_secret": "__protected__autoprovision/client_secret",

    "deletion_tolerance": 3,

  }

 ],

 "status-code": 200

}

To configure CME Azure account (controller) on the Security Management Server:

  1. With Microsoft Entra ID and Service Principal:

    Send a POST request:

    POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/azure

    Request body parameters:

    Parameter Name

    Description

    name

    Azure account name.

    subscription

    Azure subscription ID.

    directory_id

    The Azure Active Directory tenant ID.

    application_id

    The service principal's client ID value.

    client_secret

    The service principal's client secret value.

    deletion_tolerance

    The number of cycles until a Gateway object in SmartConsole is deleted.

    This operation returns "status-code": 200.

  2. With Azure IAM (starting from CME API v1.2.3):

    Prerequisite: Security Management Server virtual machine is using a system-assigned managed identity.

    Send a POST request:

    POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/azure

    Request body parameters:

    Parameter Name

    Description

    name

    Azure account name.

    subscription

    Azure subscription ID.

    iam

    Enable/disable IAM. Must be set to true.

    deletion_tolerance

    The number of cycles until a Gateway object in SmartConsole is deleted.

    domain

    Specify the domain name or the domain UID that manages this controller.

    This parameter is mandatory for Multi-Domain Security Management Server environments with more than one domain configured.

    environment

    An optional attribute that specifies Azure's environment type.

    The possible values are:

    AzureCloud (default)

    AzureChinaCloud

    AzureUSGovernment

    This operation returns "status-code": 200.

To configure CME AWS account (controller) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/aws

Request body parameters:

Parameter Name

Description

name

Your AWS account name.

regions

A comma-separated list of AWS regions where the gateways are deployed. For example: eu-west-1,us-east-1,eu-central-1.

deletion_tolerance

The number of cycles until a Gateway object in SmartConsole is deleted.

credentials_file

The path to a text file with the AWS credentials.

access_key

AWS Access Key ID

secret_key

AWS Secret Key

sts_role

The STS Role ARN of a role to assume.

sts_external_id

An optional STS External ID to use when assuming a role in the account.

scan_gateways

Set "true" to scan gateways with AWS TGW.

scan_vpn

Set "true" to scan VPN with the AWS TGW solution.

scan_load_balancers

Set true to scan load balancers' access and NAT rules with the AWS TGW solution.

communities

An optional comma-separated list of communities which are allowed for VPN connections that this controller discovers. If this attribute is missing or its value is an empty list, any community may be joined by VPN connections that belong to this controller.

This is useful to prevent an automatic addition of VPN connections to a community based on the customer gateway public IP address.

scan_subnets

Set "true" to scan subnets with the AWS GWLB solution.

scan_subnets_6

Set "true" to scan IPv6 subnets with the AWS GWLB solution.

sub_accounts

A list of sub-accounts with their configuration parameters.

This operation returns "status-code": 200.

To configure CME GCP account (controller) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/gcp

Request body parameters:

Parameter Name

Description

name

Your GCP account name.

project_id

The ID of the GCP project where to scan for VM instances.

deletion_tolerance

The number of cycles until a Gateway object in SmartConsole is deleted.

credentials_file

The path to a text file with the GCP credentials.

credentials_data

The base64-encoded string that represent the content of the credentials file.

domain

The account's domain name in MDS environment. Insert null value for deletion.

This operation returns "status-code": 200.

To configure CME OCI account (controller) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.3/accounts/oci

Request body parameters:

Parameter Name

Description

name

Your OCI account name.

compartment

The OCID (Oracle Cloud Identifier) of the compartment. For example: "ocid1.compartment.oc1..abcdefghijklmnopqrstuvwxyz".

region

An OCI region. For example: “eu-frankfurt-1”.

realm_domain

The domain for the OCI realm. For example, "oraclecloud.com".

credentials_data

The base64-encoded string with OCI credentials. For example: “eyJ1c…”.

Note - You must base64-encode this string: {"user":"<USER OCID>","tenancy":"<TENANCY OCID>", "key":"<CONTENTS OF PRIVATE KEY FILE>"}. Use OCI credentials from this step: OCI.

This operation returns "status-code": 200.

Configuring Templates (gateway-configurations) with CME API

Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the CME configuration.

We recommend configuring templates (gateway-configurations) with CME API.

To see all current templates (gateway-configurations) that you can apply on Security Gateways:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations

Response example:

{

 "result": [

  {

    "name": "azureGwConfiguration",

    "version": "R81.20",

    "sic_key": "__protected__autoprovision/sic_key",

    "policy": "Standard",

    "related_account": "azureAccount",

    "blades": {

      "ips": true,

      "anti-virus": true

    }

  },

  {

    "name": "gcpGwConfiguration",

    "version": "R82",

    "sic_key": "__protected__autoprovision/sic_key",

    "policy": "Standard",

    "related_account": "gcpAccount",

    "blades": {

      "ips": true,

      "anti-virus": true,

      "https-inspection": true

    }

  }

 ],

 "status-code": 200

}

To see details of a specific template (gateway-configuration):

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/templateName

Response example:

{

 "result": [

  {

    "name": "azureGwConfiguration",

    "version": "R81.20",

    "sic_key": "__protected__autoprovision/sic_key",

    "policy": "Standard",

    "related_account": "azureAccount",

    "blades": {

      "ips": true,

      "anti-virus": true

    }

  }

 ],

 "status-code": 200

}

To configure CME Azure template (gateway-configuration) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/azure

Request body parameters:

Parameter Name

Description

name

Unique configuration template name for identification.

version

The Security Gateway version.

base64_sic_key

Key for trusted communication between Security Management Server and Security Gateway.

A base64-encoded string, the decoded string have to be between 8 and 30 alphanumeric characters.

policy

Policy name to be installed on the Security Gateway.

related_account

Azure account to associate with the Security Gateway Configuration.

blades

Blades to activate/deactivate on the Security Gateway.

identity_awareness_settings

Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. settings that can be configured on the Security Gateway.

repository_gateway_scripts

A name or UID of a script that exists in the scripts repository on the Security Management Server.

x_forwarded_for

Enable XFF headers in HTTP / HTTPS requests.

section_name

Name of a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. section in the Access and NAT layers in the policy, where to insert the automatically generated rules.

color

Color of the Security Gateway objects in SmartConsole.

communication_with_servers_behind_nat

"Gateway behind NAT" communications settings with the Check Point Servers(Management, Multi-Domain, Log Servers).

ipv6

Enable IPv6 for Azure VMSS.

send_logs_to_server

Names of Primary Log Servers to which logs are sent.

send_logs_to_backup_server

Names of Backup Log Servers to which logs are sent when Primary Log Servers are not available.

send_alerts_to_server

Names of Alert Log Servers to which alerts are sent.

This operation returns "status-code": 200.

To configure CME AWS template (gateway-configuration) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/aws

Request body parameters:

Parameter Name

Description

name

Unique configuration template name for identification.

version

The Security Gateway version.

base64_sic_key

Key for trusted communication between Security Management Server and Security Gateway.

A base64-encoded string, the decoded string have to be between 8 and 30 alphanumeric characters.

policy

Policy name to be installed on the Security Gateway.

related_account

AWS account to associate with the Security Gateway Configuration.

blades

Blades to activate/deactivate on the Security Gateway.

identity_awareness_settings

Identity Awareness settings that can be configured on the Security Gateway.

repository_gateway_scripts

A name or UID of a script that exists in the scripts repository on the Security Management Server.

x_forwarded_for

Enable XFF headers in HTTP / HTTPS requests.

section_name

Name of a rule section in the Access and NAT layers in the policy, where to insert the automatically generated rules.

color

Color of the Security Gateway objects in SmartConsole.

communication_with_servers_behind_nat

"Gateway behind NAT" communications settings with the Check Point Servers(Management, Multi-Domain, Log Servers).

vpn_domain

The VPN domain for the VPN gateway.

vpn_community

A star community in which to place the VPN gateway as center.

deployment_type

The deployment type of the CloudGuard Security Gateways.

tgw_static_routes

Comma separated list of cidrs, for each cidr a static route will be created on each gateway of the TGW auto scaling group.

tgw_spoke_routes

Comma separated list of spoke cidrs, each spoke cidr that was learned from the TGW over bgp will be re-advertised by the gateways of the TGW auto scaling group to the AWS TGW.

send_logs_to_server

Names of Primary Log Servers to which logs are sent.

send_logs_to_backup_server

Names of Backup Log Servers to which logs are sent when Primary Log Servers are not available.

send_alerts_to_server

Names of Alert Log Servers to which alerts are sent.

This operation returns "status-code": 200.

To configure CME GCP template (gateway-configuration) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/gcp

Request body parameters:

Parameter Name

Description

name

Unique configuration template name for identification.

version

The Security Gateway version.

base64_sic_key

Key for trusted communication between Security Management Server and Security Gateway.

A base64-encoded string, the decoded string have to be between 8 and 30 alphanumeric characters.

policy

Policy name to be installed on the Security Gateway.

related_account

GCP account to associate with the Security Gateway Configuration.

blades

Blades to activate/deactivate on the Security Gateway.

identity_awareness_settings

Identity Awareness settings that can be configured on the Security Gateway.

repository_gateway_scripts

A name or UID of a script that exists in the scripts repository on the Security Management Server.

x_forwarded_for

Enable XFF headers in HTTP / HTTPS requests.

section_name

Name of a rule section in the Access and NAT layers in the policy, where to insert the automatically generated rules.

color

Color of the Security Gateway objects in SmartConsole.

communication_with_servers_behind_nat

"Gateway behind NAT" communications settings with the Check Point Servers(Management, Multi-Domain, Log Servers).

send_logs_to_server

Names of Primary Log Servers to which logs are sent.

send_logs_to_backup_server

Names of Backup Log Servers to which logs are sent when Primary Log Servers are not available.

send_alerts_to_server

Names of Alert Log Servers to which alerts are sent.

This operation returns "status-code": 200.

To configure CME OCI template (gateway-configuration) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.3/gwConfigurations/oci

Request body parameters:

Parameter Name

Description

name

Unique configuration template name for identification.

version

The Security Gateway version.

base64_sic_key

Key for trusted communication between Security Management Server and Security Gateway.

A base64-encoded string, the decoded string have to be between 8 and 30 alphanumeric characters.

policy

Policy name to be installed on the Security Gateway.

related_account

OCI account to associate with the Security Gateway Configuration.

blades

Blades to activate/deactivate on the Security Gateway.

repository_gateway_scripts

A name or UID of a script that exists in the scripts repository on the Security Management Server.

x_forwarded_for

Enable XFF headers in HTTP / HTTPS requests.

section_name

Name of a rule section in the Access and NAT layers in the policy, where to insert the automatically generated rules.

color

Color of the Security Gateway objects in SmartConsole.

communication_with_servers_behind_nat

"Gateway behind NAT" communications settings with the Check Point Servers(Management, Multi-Domain, Log Servers).

send_logs_to_server

Names of Primary Log Servers to which logs are sent.

send_logs_to_backup_server

Names of Backup Log Servers to which logs are sent when Primary Log Servers are not available.

send_alerts_to_server

Names of Alert Log Servers to which alerts are sent.

This operation returns "status-code": 200.

Configuring Identity Sharing using CME API

Identity Sharing lets Identity AwarenessSecurity Gateways configured as Policy Decision Points (PDPs) retrieve identity information and share it with other Security Gateways acting as Policy Enforcement Points (PEPs). This feature reduces load on identity sources and enhances system performance.

Examples of Identity Sharing topologies:

Configuring Identity Sharing

Starting from CME API v1.2.2, you can set up Identity Sharing for the Auto Scaling instances to let them receive identities from configured PDPSecurity Gateways. This feature is part of the Identity Awareness settings.

Prerequisites:

  • Set up static Identity AwarenessSecurity Gateways as PDPs to share identities. For more information, see the Identity Sharing documentation.

  • Configure Auto Scaling instances template to receive identities from those PDPSecurity Gateways.

  • Make sure the PDPSecurity Gateways and Auto Scaling Security Gateway instances exist in the same domain for Multi-Domain Security Management deployments.

To configure Identity Sharing using CME API:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.2/gwConfigurations/<azure/gcp/aws>

Request body parameters for Identity Sharing:

Object

Description

blades

A container object that holds blades configuration parameters.


Parameter Name

Description

identity-awareness

Enable or disable the Identity Awareness blade.

identity_awareness_settings

A container object that holds configuration parameters of the Identity Awareness blade.


Parameter Name

Description

enable_cloudguard_controller

Enable or disable the Web API identity source for the CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security..

receive_identities_from

A list of PDP Security Gateway names from which to receive identities through Identity Sharing.

Note - Enabling the Identity Awareness blade without setting the Identity Awareness Settings automatically enables the Web API identity source for the CloudGuard Controller (enable_cloudguard_controller parameter value is set to true).

Example:

POST request:

URL: POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.2/gwConfigurations/<azure/gcp/aws>

 

Body:

{

    "name": "gwConfigurationExample",

    "base64_sic_key": "MTIzNDU2Nzg=",

    "version": "R81.20",

    "policy": "Standard",

    "blades": {"identity-awareness": true},

    "identity_awareness_settings": {

         "enable_cloudguard_controller": false,

         "receive_identities_from": ["PDP_GW1", "PDP_GW2"]

    },

    "related_account": "accountNameExample"

}

Configuring CME using the autoprov_cfg Command Line Configuration Tool (not recommended)

  • The autoprov_cfg is a command-line tool to configure autoscaling solutions, such as AzureVMSS, AWS ASG, GCPMIG, OCI Instance Pool.

  • Refer to the specific solutions administration guide for specific information about how to use autoprov_cfg.

  • For instructions about how to use the autoprov_cfg, run:

    autoprov_cfg -h

  • Commands summary:

    Command Description

    init

    Initialize auto-provision with Management, a Configuration Template, and a Controller (account) configuration

    show

    Show all or specific configuration settings

    add

    1. Add a new Configuration Template or a Controller

    2. Add a new configuration to the Management or to a Configuration Template or a Controller

    set

    Set values in an existing configuration of Management, Configuration Template or a Controller

    delete

    1. Remove a Configuration Template or a Controller

    2. Remove a configuration from the Management or from a Configuration Template or a Controller

    -v

    Show the version of CME

    -h

    Shows specific help documentation

    Important - If you have an existing configuration, running the autoprov_cfg init command will override it.

    To add one more auto-provisioned environment, use the autoprov_cfg add command instead of autoprov_cfg init.

  • Specific help documentation is available for each option that you select.

    For example, this command shows the available initialization parameters for AWS and their definition:

    autoprov_cfg init AWS -h

Schema

  1. Starting from CME Take 212, the CME configuration has a schema version.

  2. This attribute ensures that only compatible CME runs with the given CME configuration.

  3. CME does not run when the schema version in the CME configuration is not compatible.

  4. Example scenarios that can cause incompatibility:

    1. Revert to the older CME Take.

    2. Upgrade - export configuration and importing it on a machine with an older CME Take.

    3. High Availability Management/Multi Domain servers where the CME on the two members is not from the same take.

  5. CME adds/updates a schema version parameter automatically and stores a backup of the previous configuration file in the autoprovision.json.bak_schema file.

  6. To show the current schema version value, look for the schema value in the CME configuration:

    autoprov_cfg show all

  7. This is a read-only parameter.

  8. This attribute ensures that only compatible CME runs with the given CME configuration.

Delay

  • The delay parameter sets the sleep time between CME iterations.

  • The default delay value is 30 seconds.

  • To see the current delay value, look for the delay value in the CME configuration:

    autoprov_cfg show all

  • To edit the delay configuration, run:

    autoprov_cfg set delay <NEW_TIME_IN_SEC>

Management

  • There is one Management configuration for CME.

  • The Management configuration applies to each controller and each template.

    To see the current Management configurations, run:

    autoprov_cfg show management

    To edit the management configurations, run:

    autoprov_cfg set management -h

Management Parameters

Parameter Value

Description

-mn

MANAGEMENT-NAME

The name of this CME management configuration.

This name must match the management name configured for each deployed scale set.

Note - This name is configurable and not related to CPM management name.

-d

DOMAIN:

The domain name or the domain UID that manage CME.

This parameter is mandatory for Multi-Domain Security Management Server environments when one domain manages CME.

If more than one domain manages CME, you must remove this parameter and configure it in the controller part, as explained below in the controller section.

-cs

SCRIPT FULL PATH

This parameter lets you set a custom script to execute on the Management Server in these scenarios:

  1. After the restrictive policy installation step (even if restrictive policy is skipped).

  2. After installing the policy specified in the Configuration Template.

  3. After removing a Security Gateway.

In each of these scenarios, CME runs the script with different arguments, as listed in the table below:

Scenario Arguments

Example

Restrictive policy installation

delete <gateway name>

$FWDIR/conf/mgmt-script.sh delete cloudguard-gateway1

Configuration Template policy installation

add <gateway name>

$FWDIR/conf/mgmt-script.sh add cloudguard-gateway1

Security Gateway removal

delete <gateway name>

$FWDIR/conf/mgmt-script.sh delete cloudguard-gateway1


Notes:

  • CME expects to find the script in the $FWDIR/conf directory, for example: $FWDIR/conf/mgmt-script.sh.

  • The script must have only admin read and execute permission. You can give this permission with the command: chmod 500 $FWDIR/conf/<script filename>.

  • The script must be in Unix format. To make sure the format is correct, run this command: dos2unix $FWDIR/conf/<script filename>.

You can download an example of the Custom Management Script from here.

To add parameters to the script, see CUSTOM_PARAMETERS in Configuration Templates (gateway-configurations) > General Parameters.

Controllers (accounts)

  • To connect to your cloud account and automatically provision Security Gateways deployed in the account, the Security Management Server needs cloud-specific information, such as credentials and regions.

    This information is related to a controller in the CME configuration.

  • To configure and manage controllers using CME API, refer to this chapter: Configuring Accounts (CME Controllers) with CME API.

  • To see the current controllers used by the Management Server connected to the cloud environments, run:

    autoprov_cfg show controllers

  • To add a new controller to an existing CME configuration, run:

    autoprov_cfg add controller {AWS,Azure,GCP,NSX,Nutanix,OCI}

  • To show the command help message, run:

    autoprov_cfg add controller -h

Important:

  • We recommend changing the account's passwords regularly for security reasons.

  • Each controller in the configuration must have unique credentials, with the exception of the Multi-Domain Security Management Server configuration.

Controllers (accounts) - General Parameters

Parameter Value

Description

-cn

CONTROLLER-NAME

The name of the cloud environment controller. The name must be unique.

-dto

DELETION-TOLERANCE

The number of cycles until a Gateway object in SmartConsole is deleted.

-ct

CONTROLLER TEMPLATES

An optional list of templates that are linked to this specific controller.

This parameter is mandatory for Multi-Domain Security Management Server environments with more than one domain configured.

for example, TEMPLATE1-NAME TEMPLATE2-NAME

-cd

CONTROLLER DOMAIN

Specify the domain name or the domain UID that manages this controller.

This parameter is mandatory for Multi-Domain Security Management Server environments with more than one domain configured.

Controllers (accounts) - Parameters for AWS only

Parameter Value

Description

-r

REGIONS

A comma-separated list of AWS regions where the gateways are deployed. For example: eu-west-1,us-east-1,eu-central-1

-ak

AWS ACCESS KEY

AWS Access Key ID

-sk

AWS SECRET KEY

AWS Secret Key

-iam

-

Use this flag to specify if you use an IAM role profile

-fi

AWS CREDENTIALS FILE PATH

The path to a text file with the AWS credentials

-sr

STS ROLE

The STS Role ARN of a role to assume

-se

STS EXTERNAL ID

An optional STS External ID to use when assuming a role in the account

-sn

SUB-CREDENTIALS NAME

Sub account name. The name must be unique

-sak

AWS SUB-CREDENTIALS ACCESS KEY

AWS Access Key ID for the sub-account

-ssk

AWS SUB-CREDENTIALS SECRET KEY

AWS Secret Key for a sub-account

-sfi

AWS SUB-CREDENTIALS FILE PATH

The path to a text file containing AWS credentials

for a sub-account

-siam

-

Use this flag to specify whether to use an IAM role profile for a sub-account

-ssr

AWS SUB-CREDENTIALS STS ROLE

STS Role ARN of a role to assume for a sub-account

-sse

AWS SUB-CREDENTIALS STS EXTERNAL ID

An optional STS External ID to use when assuming a role in this sub-account

-com

COMMUNITIES

An optional comma-separated list of communities which are allowed for VPN connections that this controller discovers. If this attribute is missing or its value is an empty list, any community may be joined by VPN connections that belong to this controller.

This is useful to prevent an automatic addition of VPN connections to a community based on the customer gateway public IP address.

-sv

-

Use this flag to enable the auto-provisioning of VPN objects

-slb

-

Use this flag to enable the auto-provisioning of load balancer Access and NAT rules

-ss

-

Use this flag to enable scan subnets with Centralized GWLB solution

Controllers (accounts) - Parameters for Azure only

Parameter Value

Description

-sb

SUBSCRIPTION ID

The Azure subscription ID

-en

-

An optional attribute that specifies Azure's environment type.

The possible values are:

  • AzureCloud (default)

  • AzureChinaCloud

  • AzureUSGovernment

-at

TENANT ID

The Azure Active Directory tenant ID.

-aci

CLIENT ID

The service principal's client ID value.

-acs

CLIENT SECRET

The service principal's client secret value.

Controllers (accounts) - Parameters for NSX only

Parameter Value

Description

-nf

NSX FINGERPRINT

NSX-T manager fingerprint

-np

NSX MANAGER PASSWORD

NSX-T manager password

-nu

NSX MANAGER USERNAME

NSX-T manager username

-nh

NSX MANAGER HOST

NSX-T manager host IP

-nsm

NSX SERVICE MANAGER PASSWORD

NSX service manager password

-nad

NSX AD AUTH

NSX-T manager ad auth

Controllers (accounts) - Parameters for Nutanix only

Parameter Value

Description

-nf

NUTANIX PRISM FINGERPRINT

NutanixClosed Nutanix is a private and hybrid cloud software provider that offers software for virtualization, Kubernetes, database-as-a-service, software-defined networking, security, as well as software-defined storage for file, object, and block storage. Prism fingerprint

-np

NUTANIX PRISM PASSWORD

Nutanix Prism password

-nu

NUTANIX PRISM USERNAME

Nutanix Prism username

-nh

NUTANIX PRISM IP

Nutanix Prism IP

Controllers (accounts) - Parameters for Oracle Cloud Infrastructure (OCI) only

Parameter Value

Description

-co

OCI-COMPARTMENT

The OCID (Oracle Cloud Identifier) of the compartment. For example: "ocid1.compartment.oc1..abcdefghijklmnopqrstuvwxyz".

-rg

OCI-REGION

An OCI region. For example: “eu-frankfurt-1”.

-rd

OCI-REALM-DOMAIN

The domain for the OCI realm. For example, "oraclecloud.com".

-cred

OCI-CREDENTIALS-DATA

The base64-encoded string with OCI credentials. For example: “eyJ1c…”.

Note - You must base64-encode this string: {"user":"<USER OCID>","tenancy":"<TENANCY OCID>", "key":"<CONTENTS OF PRIVATE KEY FILE>"}. Use OCI credentials from this step: OCI.

Controllers (accounts) - Parameters for GCP only

Parameter Value

Description

-proj

GCP-PROJECT

The GCP project ID of the project in which you deploy the CloudGuard Security Gateways. For example, "ACME-Production".

-cr

GCP-SERVICE-ACCOUNT-KEY

Full path to GCP Service Account key file. The file must be in $FWDIR/conf and only have admin read permissions.

For example, $FWDIR/conf/ACME-Production13cebb.json.

-crd

GCP-SERVICE-ACCOUNT-DATA

The content of GCP service account data encoded in base64.

Configuration Templates (gateway-configurations)

  • Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the CME configuration.

  • To see the current configuration templates that you can apply on Security Gateways, run:

    autoprov_cfg show templates

  • To add a new configuration template to an existing CME configuration, run the command:

    autoprov_cfg add template -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME>

Supported Configuration Template parameters

Parameter Value Description

-otp

ONE_TIME_PASSWORD

A random string with a minimum of 8 alphanumeric characters.

-ver

GATEWAY_VERSION

The Security Gateway version.

-po

POLICY_NAME

The name of an existing security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to install on the Security Gateways.

-rp

POLICY_NAME

An optional name of an existing security policy to install on the new Security Gateways as the first policy (required for the internal CME workflow).

When not provided, a default policy is used (It has a drop-all cleanup rule).

Note: restrictive policy name ("-rp") cannot be the same as the policy name ("po").

See also Implied Rules and Restrictive Policy.

-cg

CUSTOM_GATEWAY_SCRIPT

A path of a script on the Management Server that is run on the Security Gateways after the policy installation.

You can add parameters to the script by separating them with spaces. The script must be located in the directory:

  • $FWDIR/conf on Security Management Server.

  • $FWDIR/conf of the Global Domain in Multi-Domain Security Management Server.

The directory must have only admin read permissions.

For example: '$FWDIR/conf/gw-script.sh param1 param2 ...'

Note: Use the single quotes in the command.

You can set one custom gateway script for each template.

If you configure Management Data Plane Separation (MDPS), ensure the script is compatible.

-cp

CUSTOM_PARAMETERS

A list of parameters separated by spaces for the Custom Management script.

For example: '$FWDIR/conf/mgmt-script.sh param1 param2 ...'

Note: Use the single quotes in the command.

For more details about the Custom Management Script, see Management Parameters.

-xff

-

Enable XFF headers in HTTP / HTTPS requests.

-g

GENERATION

String or number that you can use to force reapplying a template configuration to existing Security Gateways.

If generation is specified and its value is different from the previous value that was used for applying the template on a specific Security Gateway, then the template settings will be reapplied to the Security Gateway.

-secn

SECTION_NAME

Name of a rule section in the Access and NAT layers in the policy, where to insert the automatically generated rules.

See: (Optional) Automatic Rule Placement

-pn

PREFIX_NAME

See Configuring Name Prefix for Provisioned Gateways.

-nk

"KEY" "VALUE"

Configure other attributes to add to the Management API command "set-simple-gateway" (API v1.6).

For example: -nk "save-logs-locally" "true"
Parameter Value Description

-hi

-

Enable the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.

-atp

-

Enable the Autonomous Threat Prevention

Important: Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. & Zero PhishingClosed Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. Threat Prevention blades are not supported, and therefore are inactivated in the Threat Prevention Global Exception rules.

Notes:

  • The minimum required version for Security Management Server or Multi Domain Server is R81.10.

  • The minimum required version for Security Gateways is R81.

For more details, refer to Autonomous Threat Prevention

-ia

-

Enable the Identity Awareness to support CloudGuard Controller.

For more information on CloudGuard Controller, refer to R81.20 CloudGuard Controller Administration Guide.

-appi

-

Enable the Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.

-ips

-

Enable the IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).

-uf

-

Enable the URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.

-ab

-

Enable the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

-av

-

Enable the Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.

-te

-

Enable the Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.

-vpn

-

Enable the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.

-ca

-

Enable the Content AwarenessClosed Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT.

-vd

VPN-DOMAIN

Configure the group object for the VPN domain in the VPN Gateway (with "vpn": true).

  • If you use this parameter with an empty value, the template automatically configures an empty group as the Encryption Domain.

  • If you do not use this parameter, the template automatically configures the Encryption Domain to IP addresses behind the VPN Gateways.

-con

COMMUNITY_NAME

Optional

Star community in which to place the VPN Gateway (with "vpn": true) as a center
Parameter Value Description

-sl

SEND_LOGS_TO_SERVER

A comma-separated list of Primary Log Servers names to send logs to. The configured Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. act as a Log and Alert Server.

-sbl

SEND_LOGS_TO_BACKUP_SERVER

A comma-separated list of Backup Log Servers names to send logs to if the Primary Log Servers are unavailable.

-sa

SEND_ALERTS_TO_SERVER

A comma-separated list of Alert Log Servers names to which to send alerts.

Notes:

  • As part of the Auto Scale instance provisioning cycle the install database action is executed on all defined Log Servers when:

    • CME Take 250 and higher is installed.

    • Log Server configurations were set in a template with CME Take 250 or higher.

  • To install the database for Log Server configurations that are set with CME Take lower than 250:

  • To use Log Server parameters, you must configure a minimum of one Primary Log Server (with the -sl parameter).

  • To remove all Primary Log Server(s), the Backup and Alert Log Servers must be removed first.

  • If Primary/Backup/Alert Log Servers are configured with the new key parameter (-nk) and with Log Servers parameters (-sl, -sbl, -sa), the new key parameter is ignored.

  • Log Server settings are not supported in the Smart-1 Cloud environment.

  • Scenario 1: Configure Primary, Backup and Alert Log Servers.

    autoprov_cfg set template -tn example-template_a -sl " PLS_1, PLS_2" -sbl " BLS_3" -sa "ALS_4"

    Where:

    • PLS_1 and PLS_2 are Primary Log Servers.

    • BLS_3 is a Backup Log Server.

    • ALS_4 is an Alert Log Server.

  • Scenario 2: Log Servers are configured as in the previous example. Then, you decide to configure an additional Backup Log Server – BLS_5.

    For these action, it is mandatory to reconfigure all Backup Log Servers:

    autoprov_cfg set template -tn example-template_a -sbl " BLS_3, BLS_5"

    Where:

    BLS_3 and BLS_5 are Backup Log Servers.

    New Log Server setting:

    • PLS_1 and PLS_2 are Primary Log Servers.

    • BLS_3 and BLS_5 are Backup Log Servers.

    • ALS_4 is an Alert Log Server.

  • Scenario 3: Log Servers are configured as in the previous example. Then, you decide to delete the Log Servers configuration:

    • Delete all Alert Servers:

      autoprov_cfg delete template -tn template -sa

    • Delete all Backup Log Servers:

      autoprov_cfg delete template -tn template -sbl

    • Delete all Primary Log Servers:

      autoprov_cfg delete template -tn template -sl

Note - If all Log Servers settings are removed, the default behavior is restored (Management Server/Domain Management Server acts as Primary Log Server)
Parameter Value Description

-aap

-

AWS Automatic Policy – creates simplified automatic security policy rules for these solutions:

  1. AWS Auto Scaling

  2. AWS Centralized Gateway Load Balancer

  3. AWS Transit Gateway

Note: The parameter has no effect when used in other solutions.

You can use the parameter only to create a new Configuration Template (set/delete is not supported).

-gtr

TGW_STATIC_ROUTES

Comma-separated list of CIDR networks.

For each CIDR network, a static route is created on each Security Gateway of the Transit Gateway Auto Scaling group.

-gsr

TGW_SPOKE_ROUTES

Comma-separated list of spoke CIDR networks.

Each spoke CIDR network that is learned from the Transit Gateway over BGP is advertised again by the Security Gateways of the Transit Gateway Auto Scaling group to the AWSTransit Gateway.

-vxr

TVPC_EXPORT_ROUTES

Comma-separated list of names.

Each name is for a BGP routemap that is also exported to the spokes.

The user has to create and manage this routemap on all Transit Gateways.

This routemap can contain any routes to export to the spoke.

For example, the route of a corporate network CIDR.

-vsr

TVPC_SPOKE_ROUTES

Name for a BGP routemap that contains all spoke CIDR networks.

This routemap is automatically created on the Transit Gateway and exported to the spokes, to allow all spoke-to-spoke traffic.

-dt

Supported values: TGW

The type of deployment of the CloudGuardSecurity Gateways.

-hc

HEALTH_CHECK_IP_RANGE

String with IP address 1 and IP address 2 that represents the range for the AWS gateway health checks, separated by comma. For example: "10.0.0.0,10.0.255.255"

-pp

proxy ports

An optional comma-separated list of proxy ports enabled on Auto Scale Group instances. For example: "8080,8443".
Parameter Value Description

-an

-

Enable the automatic NAT rule generation on Azure.

-v6

-

Enable IPv6 GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. support on Azure. For more information, refer to sk170760.

Configuring Name Prefix for Provisioned Gateways

By default, CME provisions the gateway objects using these naming conventions:

  • AWS:<CONTROLLER-NAME>--<AUTO-SCALING-GROUP-NAME>--<REGION-NAME>

  • Azure: <CONTROLLER-NAME>--<SCALE-SET-INSTANCE-NAME>--<RESOURCE-GROUP-NAME>

  • GCP: <CONTROLLER-NAME>--<MANAGED-INSTANCE-GROUP-NAME>

  • Nutanix: <CONTROLLER-NAME>--<VM-NAME>

  • NSX-T: <CONTROLLER-NAME>--<VM-NAME>

  • OCI: <CONTROLLER-NAME>--<INSTANCE-POOL-NAME>

To add the template name as a name prefix (that comes before the controller name), run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -pn ""

To add a unique name as a name prefix (that comes before the controller name), run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -pn <UNIQUE-NAME-PREFIX>

Note - Currently, the Automatic HF deployment does not support name-prefix.

Configuring Network Group

CME automatically creates and updates a network group object with all the provisioned scale-set instances in the Security Management Server or Multi-Domain Security Management Server.

Network group object naming convention in the Security Management Server or Multi-Domain Security Management Server by cloud providers:

  • General: CME_<CONTROLLER-NAME>--<PLATFORM-UNIQUE-IDENTIFIER>

  • AWS: CME_<CONTROLLER-NAME>--<AUTO-SCALING-GROUP-NAME>--<REGION-NAME>

  • GCP: CME_<CONTROLLER-NAME>--<MANAGED-INSTANCE-GROUP-NAME>

  • Azure: CME_<CONTROLLER-NAME>--<SCALE-SET-NAME>--<RESOURCE-GROUP-NAME>

  • Nutanix: CME_<CONTROLLER-NAME>--<NETWORK-FUNCTION-PROVIDER>

  • NSX-T: CME_<CONTROLLER-NAME>--<REGISTERED-SERVICE-NAME>

  • OCI: CME_<CONTROLLER_NAME>--<INSTANCE-POOL-NAME>

Notes:

  • Long names:

    Because of object name restrictions in the Security Management Server, for Network group objects with Platform Unique Identifier larger than 150 characters, the CME replaces it with the hash (SHA256) of the Platform Unique Identifier.

    For example, in the Azure, the group name is:

    CME_<CONTROLLER-NAME>--< SCALE-SET-NAME-HASH-VALUE>

  • Object comment:

    The comment of the Network Group objects (for new objects starting CME Take 243) is the clear/full name of the Network Group object.

You can use the Network Group object in these policies and policy columns:

  • Access Control rule columns:

    • Source

    • Destination

    • Install On

  • NAT rule columns:

    • Original Source

    • Original Destination

Notes:

  • If you use an empty network group object (a scale set has 0 instances) in Access Policy ("Install On" column), policy installation will fail.

  • CME creates only one unique network group object for each scale set.

Default-features

Default-features is a section in the CME configuration. It contains Configuration Template attributes, which are enabled automatically for each new Configuration Template.

Default-features section:

  • Initializing CME with autoprov_cfg init creates/copies the Default-features section based on:

    • If there is no CME configuration on this server, the Default-features section is being created with the latest available Default features.

    • If there is a CME configuration on the server, the Default-features section is copied (if it exists) from the former configuration.

  • To see the existing Default-features, look for the Default-features value in the CME configuration:

    autoprov_cfg show all

New template creation:

When you create a new Configuration Template, if the Default-features section exists, its attributes are automatically added to the template (without specifying its attributes in the command).

Note - If an attribute has version limitations, it is added automatically only if the template's versions is applicable for the attribute.

To see the existing configuration template, run:

autoprov_cfg show template -tn <TEMPLATE NAME>

Enabling and Disabling Software Blades

See Supported Configuration Template parameters for parameter information.

Step

Instructions

1

From the left navigation panel, click Gateways & Servers.

2

Double-click the Security Gateway object.

3

4

Click OK.

5

Install the applicable policy on the Security Gateway.

Step

Instructions

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Enable the Software Blades:

To enable one Software Blade at a time, run:

autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>

Example:

autoprov_cfg set template -tn "my-configuration-template" -ips

To enable multiple Software Blades at a time, run:

autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2> ... -<SOFTWARE-BLADE-NAME-N>

Example:

autoprov_cfg set template -tn "my-configuration-template" -ips -uf -hi

Step

Instructions

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Enable the Software Blades:

To enable one Software Blade at a time, run:

autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>

Example:

autoprov_cfg delete template -tn "my-configuration-template" -ips

To enable multiple Software Blades at a time, run:

autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2> ... -<SOFTWARE-BLADE-NAME-N>

Example:

autoprov_cfg delete template -tn "my-configuration-template" -ips -uf -hi

Autonomous Threat Prevention

Autonomous Threat Prevention is an innovative Threat Prevention management model. For more details, refer to the Threat Prevention Administration Guide for your version.

Auto Scaling instances do not support Threat Extraction and Zero Phishing software blades. Therefore, when enabling Autonomous Threat Prevention in CME, Zero-Phishing and Threat Extraction blades are inactivated in the Threat Prevention Global Exception rules.

Configuring the tgw_menu

The Transit Gateway menu is a command-line based menu to configure the AWS Transit Gateway solution.

For more information, see the CloudGuard Network for AWS Auto Scale Group with Transit Gateway Deployment Guide

Implied Rules and Restrictive Policy

A restrictive access policy package has only a drop-all cleanup rule. During Security Gateway provisioning cycle (scale out), CME can first install a restrictive policy package to prevent Security Gateway from answering load balancer's health probes.

  • CME Take 250 and higher:

    Azure:

    Gateway version

    Load Balancer

    Gateway Load Balancer

    Application Gateway

    All versions

    SKIP

    SKIP

    INSTALL

    AWS:

    Gateway version

    Network Load Balancer

    Gateway Load Balancer

    Application Load Balancer

    R81.10 and higher

    SKIP

    SKIP

    INSTALL

    R81 and lower

    INSTALL

    SKIP

    INSTALL

    GCP

    Gateway version

    All Load Balancer types

    R81.10 and higher

    SKIP

    R81 and lower

    INSTALL

    Private Cloud Vendors (NSX-T, Nutanix): CME installs restrictive policy on all solutions.

  • CME Take 250 and lower:

    CME always installs restrictive policy.

For CME Takes lower than 250, if the Implied Rules are disabled, it is required to configure a custom restrictive policy package and to set it in the Configuration Template.

For more details, see:

If it is necessary to use the Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. Global Policy together with automatic provisioning, see Global Policy on a Multi-Domain Server.

Objects Banner

Starting from CME Take 252, objects created by CME have a warning banner.

To show the warning banner, CME creates and attaches a tag to objects.

Example of a warning banner for a host object created by CME: